> Le 6 juin 2016 à 16:46, Viktor Dukhovni <postfix-us...@dukhovni.org> a écrit : > > On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote: > >> I�ve juste enable DANE and https://dane.sys4.de <https://dane.sys4.de/> >> is green when I test my domain numeezy.com <http://numeezy.com/>. Also >> postfix SMTP client says "Verified TLS connection established to >> mail-in-1.numeezy.com[188.165.154.163]:25: TLSv1.2 with cipher >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)" >> >> Maybe some DANE expert here can definitely confirm that my setup is sane. > > Yes, your DANE TLSA records match for both the primary and secondary > MX hosts. You've also *not* made the mistake of using the same > certificate for both the primary and secondary MX hosts, thereby > risking an outage of both when you replace a single certificate. > And you're using "3 1 1" records which are stable when you renew > your certificate with the same private key. So overall, quite > good, however you can do even better, see: > > https://www.ietf.org/mail-archive/web/uta/current/msg01498.html > > based on which I would strongly recommend: > > _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1 > cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48 > _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1 > d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166 > > _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1 > 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e > _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1 > d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166 > > The above is based on the below observed DNS records, certificate > chain and associated matching TLSA records: > > numeezy.com. IN MX 1 mail-in-1.numeezy.com. > numeezy.fr. IN MX 1 mail-in-1.numeezy.com. > medialta.com. IN MX 1 mail-in-1.numeezy.com. > medialta.fr. IN MX 1 mail-in-1.numeezy.com. > medialta.eu. IN MX 1 mail-in-1.numeezy.com. > mail-in-1.numeezy.com. IN A 188.165.154.163 ; passed > _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1 > cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48 ; passed at > depth=0 > ; > ; Depth: actual=0, wire=0 > ; Subject = CN=mail-in-1.numeezy.com,O=Numeezy > SARL,L=PARIS,ST=Ile-de-France,C=FR > ; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification > Authority,O=StartCom Ltd.,C=IL > ; Valid from 2016-05-17T12:16:30Z until 2019-05-17T12:16:30Z > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1 > cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48 > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 1 > 50f417dbdab3677847eb0107d363044f4166eed1bb333daf6320d6b8daefb70e > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 2 > 5061dc02e6df14ad409acb5c2bb4992f80e1a5a1cc53faa5d81bd42d644010260e9a94747599c49df6b576981a6c6bf02b86764758c2bf4008ae6387f558a7c4 > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 2 > b7b3d2036ad1d77d6c187e1f3fd9de28fc3f74af725a48c242bebc8eb1c4af56b06747bb1622cb27ef696f8741d09066d640768f9caa944a8981da174752a058 > ; > ; Depth: actual=1, wire=1 > ; Match = mail-in-1.numeezy.com > ; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification > Authority,O=StartCom Ltd.,C=IL > ; Issuer = CN=StartCom Certification Authority,OU=Secure Digital > Certificate Signing,O=StartCom Ltd.,C=IL > ; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1 > d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166 > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 1 > ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 2 > d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794 > ; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 2 > 6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328 > > numeezy.com. IN MX 5 mail-in-2.numeezy.com. > numeezy.fr. IN MX 5 mail-in-2.numeezy.com. > medialta.com. IN MX 5 mail-in-2.numeezy.com. > medialta.fr. IN MX 5 mail-in-2.numeezy.com. > medialta.eu. IN MX 5 mail-in-2.numeezy.com. > mail-in-2.numeezy.com. IN A 37.59.203.174 ; passed > _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1 > 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e ; passed at > depth=0 > ; > ; Depth: actual=0, wire=0 > ; Subject = CN=mail-in-2.numeezy.com,O=Numeezy > SARL,L=PARIS,ST=Ile-de-France,C=FR > ; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification > Authority,O=StartCom Ltd.,C=IL > ; Valid from 2016-05-17T12:39:52Z until 2019-05-17T12:39:52Z > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1 > 8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 1 > c49354b6b553fed27d8b66aa42a7be4f18d8979e5c6260bd62d174051fb58b3a > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 2 > 7292aba36d879109a7ef70143ca3dc499c7774b693f4e6f9392ccb8b365b084cf583ee2533d4987582d8e8626c7f4d894826f3df0e686c07c201a5af08020b86 > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 2 > cd703c0fd747873a29d6467dc6e18fc7334a94918e59d9c6a9ba7320f1c8aea8473fe8d1edac9f3e2e7d6099eb17231832c5cc013500340be22c3830e91a21a2 > ; > ; Depth: actual=1, wire=1 > ; Match = mail-in-2.numeezy.com > ; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification > Authority,O=StartCom Ltd.,C=IL > ; Issuer = CN=StartCom Certification Authority,OU=Secure Digital > Certificate Signing,O=StartCom Ltd.,C=IL > ; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1 > d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166 > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 1 > ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 2 > d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794 > ; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 2 > 6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328 > > You have three year certificates, that may well be "too long", in > 3 years time you'll forget you have DANE TLSA records that need to > change when you change your private/public key pair. Also after > three years you'll probably want a new private key. > > Carefully document the correct certificate rollover procedure and > required DNS updates in README files in the directories where the > certificates are kept and reference them in the main.cf file or > other configuration files that use those certificates. > > -- > Viktor.
Thank you so much for these recommandations !
